Free Malware Removal Forum

Welcome to MalwareRemoval.com,What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

After booting my computer this morning I received am acoustic warning followed by a pop up from Antivir warning me that an cognitive sample from the malware BDS/Papras.aak has been found in my system. As I am not sure that I will be able to remove this from my system, and a formation is the least favourite solution, I would be grateful for any assistance and help from experts.Thank you, I am looking forward to your reply.

Hi jdr 275,There are quite a large number of things to do here.Please do them in the sequence as listed.-----------------------------------------------Please Note Our Policy on the Use of P2P (Person to Person / Peer to Peer) file sharing programsIt is posted here: http://malwareremoval.com/forum/viewtopic.php?p=491394#p491394As a condition of receiving our help, I have included the P2P program BitTorrent in the removal instructions below, so we are not wasting our time.If you have used this, you can be fairly confident this is a principal reason your computer is infected

It's really important, if you value your PC at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, Frostwire, Limewire, Vuze, Shareaza, Bitlord.(Limewire has just been shut down by the courts).Criminals have "planted" thousands of infections in the "free" shared files. Some of the recent infections can ruin the operation of your machine.-----------------------------------------------Older versions such as your current "Adobe Reader 7.0.7 - Deutsch" are vulnerable to infection.You need to have at least version 9.4, as per the following instructions. We will also update your Java.-----------------------------------------------------------Remove Registry items with HighjackThis. Start HijackThis. Click Do System Scan Only. When the Scan is complete, Check the following entries:(Some of these lines may be missing)O17 - HKLM\System\CCS\Services\Tcpip\..\{07001AE9-9804-49CE-BF81-1805CAC2EE49}: NameServer = 93.188.164.75,93.188.166.225O17 - HKLM\System\CCS\Services\Tcpip\..\{7CAEFA61-3C40-4EDD-A5BC-DDBC32F9FF24}: NameServer = 93.188.164.75,93.188.166.225O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.75,93.188.166.225O17 - HKLM\System\CS1\Services\Tcpip\..\{07001AE9-9804-49CE-BF81-1805CAC2EE49}: NameServer = 93.188.164.75,93.188.166.225O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.75,93.188.166.225

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix CheckedClick the "X" in the upper right corner of the HiJackThis window to close it.-----------------------------------------------------------REBOOT (RESTART) Your Machine-----------------------------------------------------------Remove Programs Using Control PanelFrom Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.Highlight each Entry, as follows, one by one, if it exists, and choose Remove :Adobe Reader 7.0.7 - DeutschBitTorrentJ2SE Runtime Environment 5.0 Update 10J2SE Runtime Environment 5.0 Update 11J2SE Runtime Environment 5.0 Update 6Java(TM) SE Runtime Environment 6 Update 1

Take extra care in answering questions posed by any Uninstaller.------------------------------------------------------------Download the latest version of Adobe Reader from here: http://www.chip.de/downloads/Adobe-Reader_12998358.htmlInstall it on your system.------------------------------------------------------------Download and Install the latest version of Java Runtime Environment from here : http://java.sun.com/javase/downloads/index.jsp, and install it to your computer.In the first section on the page, labeled JDK 6 Update 23 (JDK or JRE), click on the button labeled Download JRE. Do NOT choose the button labeled "Download JDK". Select the Platform Windows and check the box to agree to the license.Choose the Windows Offline installation version and click on the link.Download it, choose Save, and save it to your desktop.Then doubleclick it on your desktop, and it will install the newest version of Java for you to use. You can then remove the Installer from your desktop.-----------------------------------------------Get Last Avira ReportRight click the red umbrella icon in the system tray and click Start AntivirIn the left pane, click Overview, then click ReportsThere wil be reports titled Update and reports titled Scan. Find the most recent report in the list titled ScanClick on the Report File button, or Right click the report and choose Display Report.The report contents will come up in Notepad. Highlight the entire report (Ctrl+A) and copy to the clipboard (Ctrl+C).Paste the contents (Ctrl+V) into your next reply.

Thanks for your help.Yes I was able to carry out all the tasks listed in your post.One point that I am not sure on , do you require a scan report prior to the changes or after. I have pasted a report below prior to the changes carried out today. Please let me know if you need to see a report from today(after the changes)

[FINDING]Includes a recognition pattern of the (dangerous) Backdoorprogrammes BDS/Papras.aak.[WARNING]While attempting to make a backup copy of the file,an error occured and the file was not erased. Error number: 26003[WARNING] The file could not be erased.[INDICATOR]Will attempt to carry out the action with the help of the ARK Library.[INDICATOR]An entity of the ARK Library is already running.[WARNING] The file was ignored.

jdr 275,-----------------------------------------------------------Download and Run ComboFixIMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without guidance.ComboFix uses very forceful tactics to remove malware from your system. Your antivirus software may warn you about the file.You will need to disable all your antivirus software after downloading but BEFORE running ComboFix..

Rename it while saving the download to zzz.exe and save it to your Desktop. Do not try to rename it after it has been saved to your desktop, or the infection may prevent you from using it. **Note: It is important that it is saved directly to your desktop and run from the desktop, not from any other folder on your computer**

DISABLE AVIRA ANTIVIRPlease navigate to the system tray on the bottom right hand corner and look for an open umbrella on red background (looks like this: )

Right click it and untick any of the options AntiVir Guard enable, Antivir Webguard enable, and Antivir Mailguard enable, that are present.

You should now see a closed umbrella on a red background (looks like this: )

The AntiVir Guards are now disabled.

Now start ComboFix (zzz.exe)

The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it. (You would).

If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).

It will run through about 50 procedures, then take a while to assemble its output log.

Do not touch the computer AT ALL while ComboFix is running.

When finished, the report will open. Post the log in your next reply, and then Reenable your AVG protection software

A copy of the log will be located here if you need it-> C:\ComboFix.txtIf you cannot connect to the internet after running ComboFix, unplug the cable you use to connect to the internet and plug it back in.

The Recovery Console produces a brief (2 second) black screen at bootup which allows an additional technical resource for repair in case of a major failure. In regular operation, you can ignore it.askey127

I conducted all instructions as requested. A rootkit was found and the system was rebooted prior to scanning.It all ran well.With the exception that once ComboFix was finished scanning no text report was opened and my desktop was inactive ( No task bar or icons). I rebooted using the task manager and found the text report in C:See below.

Start the disinfectionC:\Qoobox\Quarantine\C\WINDOWS\system32\Drivers\disk.sys.vir[FINDING] Is the Trojan horse TR/Rootkit.Gen3 [INDICATOR] The file was shifted into the quarantine list under the name '4fa1475a.qua'!

You probably are aware of the situation as follows, but I will remind you anyway:------------------------------------------------------Warning - Compromised DataBecause the infection has had remote control access to all your Internet activities, you should assume that any data on it may have been stolen.Take whatever precautions you think sensible about any financial (credit cards, banking, etc.), or other critical information that has been passed through or stored on the machine.I would suggest changing all account names/numbers, and passwords for ANY accounts that have been used with the machine.That includes not only banking, credit cards, and financial, but also website and e-mail accounts as well.Normally you should not use the infected machine to make the changes. In this case, I think your machine is clean right now.

Everything appears to be running well thanks. I really appreciate your assistance during the last few days.A really great support. Competent and friendly,with clearly understandable instructions.I will not hesitate to recommend your site to friends.I will also take your advise and avoid P2P in the future. I will also change all passwords used up till now.What else can I do to protect my system ?Obviously AntiVir is not enough.From the software installed during your support, what can be removed ?

jdr 275,You can delete HiJackThis and Combofix (zzz.exe) You can also delete the folder C:\Qoobox\The \Qoobox\ folder is the Combofox Quarantine location. Be careful not to activate any files therein. Just delete.I would suggest you keep Avira Antivir. It is an excellent antivirus.If the "nag" screen is bothersome, you can get the inexpensive Antivir paid version, or replace it with Microsoft Security Essentials. If you replace it, be sure to Uninstall Antivir when you Install Microsoft Security Essentials.-----------------------------------------------------------Replace the Current HOSTS File with MVPsYou can read about HOSTS files here : http://www.mvps.org/winhelp2002/hosts.htm

Disable DNS Client Service. This is necessary when installing a large HOSTS file. From Start, or Start, RunType services.msc in the box and hit <Enter>Give permission to continue if necessary.Scroll down to DNS Client on the list, Right Click it and choose Properties.Under Service Status, click Stop. Wait until it reports the service stopped.Under Startup Type, choose Disabled.Then click Apply, OK

Use HostsXpert to Install the HOSTS FileDownload HostsXpert and unzip (extract) it to your computer, somewhere where you can find it.

Double click on HostsXpert.exe to launch the program. Give whatever Permissions are required.

In the bottom half of the left pane, click on File Handling

If the first button at the top is labeled Make Writeable?, click on it so the label changes to Make Read Only

Click third button from the bottom, labeled Download. A couple new buttons will appear at the top.

Click on the top button labeled MVPs Hosts and choose Replace

When asked to verify if you want to Replace present Hosts file, click OK.

When it finishes, click on File Handling again.

Click the button at the top labeled Make Read Only, so the label changes to Make Writeable?

Hit the X in the upper right corner to exit HostsXpert

-----------------------------------------------------------Install WinPatrol - Download and Install the Free WinPatrol, and view Instructions here: http://www.winpatrol.com/winpatrol.html - WinPatrol is an active program that drops a "Scotty Dog" icon into the system tray (right click to check/change status), allows you to monitor/edit startups, services, Browser helpers, and prompts for permission if any program tries to change your system.

Who is online

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.